New node: ShiningArmor.shadowtrackr.com

Currently most work is done on fixing bugs and reducing technical debt. There is not much new to talk about, but you should know that there's a new scanner node. I know that some of you maintain whitelists, so you should add this new node. You can see the complete list of nodes here.

Oh, and the website is updated. The homepage has a nice animation now that should explain in 11 seconds what ShadowTrackr is about. Happy to hear any comments :-)

Ignoring assets

Some of the bigger clients have infrastructure of which they only want to monitor a subset. For domains with many subdomains this has been available for a while. It wasn't really the most usable or logical solution, but it worked. And then a new problem surfaced.

ShadowTrackr picked up about 1400 docker containers on a particular subdomain. These were not really important to the client and messages about the docker instances started crowding out the important ones on the timeline. Ignoring this meant clicking 1400 checkboxes to start, and then manually tracking all new hosts as the are generated. The client of course requested a feature to ignore an entire subdomain.

I took the opportunity to redesign the ignore filter. The new version will give you a better overview, is available for all domains (including those with only a few subdomains or hosts) and supports automatically ignoring anything found on a subdomain. If, for instance, you want to ignore all hosts under docker.shadowtrackr.com, you:

• add the subdomain under assets
• click on the + sign after adding
• click on the filter link right next to it
• tick the box to ignore subdomains for it
• save the new settings

You will be able to see all newly found urls for the subdomain under ignored assets, but no messages about these will appear on your timeline. Be careful to only ignore assets that do not create risks for you. If you do ignore something your business partners or clients consider yours, this might blow up in your face when you miss a security warning.

Ignoring not only urls but also ips is still on the todo list. This will be added next.

Threat intelligence

If you just ticked the intel box for messages on your timeline it has been a bit empty lately. This is because I had to remove some boring stuff. The interesting events that remained under intel did not occur very often. This weeks update includes an attempt to improve that.

I find myself checking multiple security blogs regularly to see if there are any new reports available on particular APTs. As often when browsing the internet, I found a lot of other news as well and only hours later I'm back to work. I figured more people have this problem and I should automate it in ShadowTrackr.

Under traps you'll see a new tab: Intel. You can select which APTs you're interested in and when there is new information available it will appear on your timeline. Alerts to your email address or smartphone are also possible of course, and you'll notice something new there too.

In bigger organizations you'll have more specialized functions and some (the threat intel people) will likely want alerts pushed. The other security people might not. So, you can now set alerts just for yourself or for all ShadowTrackr users on your account. I'm guessing that this is very useful for other traps as well and I'll start working on implementing this feature for all traps.